[OpenID] Trust + Security @ OpenID

John Panzer jpanzer at acm.org
Thu Jul 19 23:56:02 UTC 2007


Dmitry Shechtman wrote:
> Thank you for your comments, John.
>
>   
>> In particular, if you see a 302 redirect on step (2) to an https:// URL,
>> ignore it (susceptible to man-in-the-middle attack).
>>     
>
> So should we distrust identifiers that redirect via plain HTTP?
>   
The attack vector:  I poison your local DNS resolver, or proxy all 
traffic, so that http://foo.blogspot.com actually resolves to 
http://evil.org's IP.  If you follow the 302 redirect, you could be 
allowing evil.org to tell you what the "canonical" URL is.  For example 
it could do a 302 redirect over to https://evil.org which presents a 
valid certificate and which can masquerade as the user's OP, capturing 
their password.  (For users who check URLs, it could be 
https://my.open1d.org instead of https://evil.org.)

If you use https throughout, the DNS attack will fail because 
https://foo.blogspot.com can't present a valid certificate for 
foo.blogspot.com.
>
>   
>> And the above applies both to an OpenID URL itself and any URLs that 
>> resource delegates to via <link>.
>>     
>
> I don't see why delegates should get any special treatment. In fact, it
> looks like the security add-on should be completely delegation-blind.
>   
(Same argument as above for 302 redirects.)  Note that this is a fairly 
difficult attack but we are talking about security-conscious RPs here.
>
> Regards,
> Dmitry
> =damnian
>
>
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-general/attachments/20070719/e5e6ee3a/attachment-0002.htm>


More information about the general mailing list